[Bug 233147] New: AUDIT: cpufreq-selector suid binary
https://bugzilla.novell.com/show_bug.cgi?id=233147 Summary: AUDIT: cpufreq-selector suid binary Product: openSUSE 10.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: sbrabec@novell.com QAContact: qa@suse.de Reviewing GNOME packages I found, that cpufreq-selector helper for cpufreq applet does not have SUID flag and that's why cpufreq applet does not work. I am adding SUID flag just now (and later will add to permissions). Please review this binary. Package: gnome-applets Binary: /usr/bin/cpufreq-selector -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thoenig@novell.com, dkukawka@novell.com ------- Comment #1 from meissner@novell.com 2007-01-10 05:54 MST ------- Doesn't Hal itself provide such mechanisms? Danny/Timo? The request to add setuid permissions is denied until this is cleared. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 ------- Comment #2 from sbrabec@novell.com 2007-01-10 05:59 MST ------- cpufreq-selector is a simple binary accessing following files: /sys/devices/system/cpu/cpu*/cpufreq /proc/cpufreq It does not use HAL. If you can provide simple HAL helper with following API, I will replace it: cpufreq-selector --help Usage: cpufreq-selector [OPTION...] - CPUFreq Selector Help Options: -?, --help Show help options Application Options: -c, --cpu CPU Number -g, --governor Governor -f, --frequency Frequency in KHz -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 thoenig@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hmacht@novell.com ------- Comment #3 from thoenig@novell.com 2007-01-10 06:01 MST ------- (In reply to comment #1)
Doesn't Hal itself provide such mechanisms? Danny/Timo?
Yes, it does. This is being done by a HAL addon (/usr/lib/hal/hald-addon-cpufreq).
The request to add setuid permissions is denied until this is cleared.
The cpufreq applet should use the HAL interface. This obsoletes the requirement of an additional suid binary. (adding Holger to CC, he's the author of hald-addon-cpufreq) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 ------- Comment #4 from thoenig@novell.com 2007-01-10 06:04 MST ------- (In reply to comment #2)
If you can provide simple HAL helper with following API, I will replace it:
<snip>
-c, --cpu CPU Number -g, --governor Governor
org.freedesktop.Hal.Device.CPUFreq.SetCPUFreqGovernor ()
-f, --frequency Frequency in KHz
IIRC the HAL addon scales the available frequencies to a range from 1-100 I am sure that Holger can comment on that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 ------- Comment #5 from hmacht@novell.com 2007-01-10 06:44 MST ------- (In reply to comment #2)
cpufreq-selector is a simple binary accessing following files: /sys/devices/system/cpu/cpu*/cpufreq /proc/cpufreq
It does not use HAL.
If you can provide simple HAL helper with following API, I will replace it:
cpufreq-selector --help Usage: cpufreq-selector [OPTION...] - CPUFreq Selector
Help Options: -?, --help Show help options
Application Options: -c, --cpu CPU Number -g, --governor Governor -f, --frequency Frequency in KHz
The HAL addon provides the following methods: (More information can be found in the HAL spec [1]) GetCPUFreqGovernor SetCPUFreqGovernor GetCPUFreqPerformance SetCPUFreqPerformance GetCPUFreqConsiderNice SetCPUFreqConsiderNice GetCPUFreqAvailableGovernors So it doesn't provide the possibility to manually the the frequency to a specific one. It just provides the possibility to either set it to fixed low/high, or to tune the dynamic algorithm. Manually setting the frequency would also require the userspace governor to be used, which ideally shouldn't be the case anymore. It is just used as a fallback if the ondemand governor does not work. So the actual question is why someone would like to change the frequency manually at all, and why then this person wouldn't be able to log in as root before doing so... [1] http://gitweb.freedesktop.org/?p=hal.git;a=blob_plain;f=doc/spec/hal-spec.ht... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 sbrabec@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |hmacht@novell.com ------- Comment #6 from sbrabec@novell.com 2007-01-10 09:00 MST ------- Could you please set SUID bit to the helper and look at gnome-applets, add frequency-change applet and evaluate its usefulness? If you will consider it useless, we can remove this applet from the package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233147 hmacht@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|hmacht@novell.com | ------- Comment #7 from hmacht@novell.com 2007-01-12 06:04 MST ------- Yes, I don't think we need it anymore. I don't think it's a good thing to let the user select the frequency manually, and it also isn't possible in our default setup anyway. It is enough to chose from statically min/statically max and dynamic. So if someone really likes to set a specific frequency, he should be able to do it via command line or should be able to set setuid bit. So I think it is not worth to put any further work into this applet or to include any more security risk. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com